Configure ADFS as a SAML provider for workspace authentication
This article describes how to configure the relying party trust that Citrix Cloud requires for signing in to Citrix Workspace or Citrix Cloud using SAML.
After you complete the steps in this article, you can configure the SAML connection between your ADFS server and Citrix Cloud as described in Connect SAML as an identity provider in Citrix Cloud. For guidance for entering the correct ADFS values for your SAML connection, see SAML configuration in Citrix Cloud in this article.
Prerequisites
The instructions in this article assume that you have an operating ADFS server deployment with Citrix FAS in your environment. Citrix FAS is required to provide single sign-on to VDAs during session launch.
For more information, refer to the following articles:
- Citrix FAS documentation:
- Citrix Tech Zone: Reference Architecture: Federated Authentication Service
Configure a relying party trust for Citrix Cloud
- From the AD FS management console, expand the AD FS node in the left pane.
-
Right-click Relying Party Trust and select Add Relying Party Trust.
The Add Relying Party Trust wizard appears.
-
Select Claims aware and then select Next.
-
In Federation metadata address, enter
https://saml.cloud.com/saml/metadata.xml. Select Next.
-
For the display name, enter
CitrixCloudProd. Select Next.
-
For the access control policy, select Permit everyone. Select Next.
- On the Ready to Add Trust screen, select Next.
-
On the Finish screen, select Configure claims issuance policy for this application. Select Next.
- Right-click the newly-created relaying party trust and select Edit Claim Issuance Policy.
- Click Add Rule and then select Send LDAP Attributes as Claims. Select Next.
- In Claim rule name, enter
CitrixCloud. - In Attribute store, select Active Directory.
-
Under Mapping of LDAP attributes to outgoing claim types, add the following LDAP attributes, exactly as shown:
LDAP attribute Outgoing Claim Type User-Principal-Name Name ID User-Principal-Name cip_upn E-Mail-Addresses cip_email objectSID cip_sid objectGUID cip_oid Display-Name displayName Given-Name firstName Surname lastName 
- Select Finish.
Modify a Citrix Cloud relying party trust using PowerShell
If you’ve configured your ADFS server using the default “out of the box” configuration, the steps in this section enable you to update it so it meets the Citrix-recommended configuration. This task is required to resolve an issue where SAML Single Logout from Citrix Cloud or Citrix Workspace fails if the nameidentifier attribute isn’t included in the claim rule set or isn’t the first SAML attribute in the claim rule set.
Note:
You don’t need to perform this task if you created your claim rule set using the steps in Configure a relying party trust for Citrix Cloud in this article.
To complete this task, you replace the existing rule set with a new claim rule set using PowerShell. The ADFS management console doesn’t support this type of operation.
- On the ADFS server, locate the PowerShell ISE. Right-click and select Run as administrator.
-
Back up your existing ADFS claim rules to a text file:
Get-ADFSRelyingPartyTrust -name "CitrixCloudStaging" | Select-Object -ExpandProperty IssuanceTransformRules | Out-File "$env:USERPROFILE\desktop\claimrulesbackup.txt" <!--NeedCopy--> - Download the claimrules.txt file that Citrix provides at https://github.com/citrix/sample-scripts/tree/master/citrix-cloud.
- Copy the claimrules.txt file to your desktop.
-
Import the required claim rules using the claimrules.txt file:
Set-ADFSRelyingPartyTrust -Name "CitrixCloudProd" ` -MetadataUrl "https://saml.cloud.com/saml/metadata" ` -AutoUpdateEnabled $True ` -IssuanceTransformRulesFile "$env:USERPROFILE\desktop\claimrules.txt" ` -SignedSamlRequestsRequired $True ` -SamlResponseSignature "MessageAndAssertion" ` -Enabled $True <!--NeedCopy-->
Update SAML signing settings for the relying party trust using PowerShell
By default, ADFS relying party trusts have the following settings:
- EncryptClaims: True
- SignedSamlRequestsRequired: False
- SamlResponseSignature: AssertionOnly
For increased security, Citrix recommends using signed SAML requests for both Single Sign-on (SSO) and Single Logout. This section describes how to update the signing settings of an existing relying party trust using PowerShell so they meet the Citrix-recommended configuration.
-
Obtain the current RelyingPartyTrust configuration on your ADFS server.
Get-ADFSRelyingPartyTrust -TargetName "CitrixCloudProd" <!--NeedCopy--> -
Update the CitrixCloudProd relying party trust settings.
Set-ADFSRelyingPartyTrust -Name "CitrixCloudProd" ` -SignedSamlRequestsRequired $True ` -SamlResponseSignature "MessageAndAssertion" <!--NeedCopy--> -
Contact Citrix Support and request to activate the authentication feature EnableSamlLogoutSigningAndPost on your Citrix Cloud customer. This causes Citrix Cloud to send SAML Single Logout requests as signed POST requests instead of unsigned Redirect requests when users sign out of Citrix Workspace or Citrix Cloud. Sending signed POST requests is required if the SAML provider requires signed requests for Single Logout and rejects unsigned redirects.
SAML configuration in Citrix Cloud
When you configure the SAML connection in Citrix Cloud (as described in Add SAML provider metadata to Citrix Cloud), you’ll enter the values for ADFS as follows:
| In this field in Citrix Cloud | Enter this value |
|---|---|
| Entity ID |
https://adfs.YourDomain.com/adfs/services/trust, where YourDomain.com is your ADFS server domain. |
| Sign Authentication Request | Yes |
| SSO Service URL |
https://adfs.YourDomain.com/adfs/ls, where YourDomain.com is your ADFS server domain. |
| Binding Mechanism | HTTP Post |
| SAML Response | Sign Either Response Or Assertion |
| Authentication Context | Unspecified, Exact |
| Logout URL |
https://adfs.YourDomain.com/adfs/ls, where YourDomain.com is your ADFS server domain. |